A small help with anti-exploit coding

Hi! I have been struggling with the exploit for half a year and studying how to get around it, or reduce the likelihood of an exploit.

What I will tell you below is my experience in dealing with the exploit, I think it will help some.

When the exploiter is in the game, it can change its speed instead of a decent 16 to 50, but the server will not notice this because the speed was changed on the client side but not on the server side.

Here is an example of an event:

• If we change the speed on the client side, the server side will simply not notice it, otherwise if we change the speed on the server side, the server will notice it

Also, if the player changes his speed on the client side, the other players will see that the player is walking fast, but the server will not notice this:

• Two examples of the above contain only one script without changes:

local maxSpeed = 50

game.Players.PlayerAdded:Connect(function(plr)
	local PrevSpeed = nil
	local CurrentSpeed = nil
	
	while (plr.Character==nil) do
		wait(1)
	end
	
	CurrentSpeed=plr.Character.Humanoid.WalkSpeed
	
	plr.Character.Humanoid:GetPropertyChangedSignal("WalkSpeed"):Connect(function()
		local Speed = plr.Character.Humanoid.WalkSpeed
		if Speed>maxSpeed then
			warn("Player walk speed hack detected! Previous Speed: ",CurrentSpeed,", Current Speed: ",Speed)
		end
		PrevSpeed=CurrentSpeed
		CurrentSpeed=Speed
	end)
end)

Also, I do not advise using the automatic player ban function in your game due to an exploit, because if any error occurs in anti-exploit script, the server will ban an innocent player. Use, for example, instant killing [Player.Character.Humanoid.Health=0] of a player in case of suspicious actions on the side of the client, or kick him [Player:Kick("\nHere must be reason of kicking")].

If you create an anti-exploit on a server script and it contains player values (for example: WalkSpeed, HumanoidStateType, JumpHeight)
It will be useless because there is no way to check even if you do it in a local script, the exploiter can simply disable or remove the local script. Well, if you still want to do it in the local read below

Here is an example of a client script in which if he finds a thing that is only visible on the client side, he will immediately kill him:

• The video contains one local script, one server script, a remote event and a remote function
• The remote event is located in ReplicatedStorage and the remote function (remote event name: ‘CheckAdd’ | Remote function name: ‘CheckScript’)
• The local script is located in StarterPlayerScripts
• The server script is located in ServerScriptService

Local script:

local Event = game.ReplicatedStorage.CheckAdd
local Checker = game.ReplicatedStorage.CheckScript

local Player = game.Players.LocalPlayer

Player.CharacterAdded:Connect(function()
	wait(5)
	Player.Character.DescendantAdded:Connect(function(child)
		Event:FireServer(child)
	end)
end)

Checker.OnClientInvoke = function()
	return "True"
end

Server script:

local Checker = game.ReplicatedStorage.CheckScript
local Event = game.ReplicatedStorage.CheckAdd

Event.OnServerEvent:Connect(function(plr,child)
	local tool = false
	for i,v in pairs(plr.Character:GetDescendants()) do
		if v==child then
			tool=true
		end
	end
	if tool then
		warn("tool was added from server side")
	else
		plr.Character.Humanoid.Health=0
		warn("tool was added from client side")
	end
end)

while wait(5) do -- This repeat will check all players for removing anti-exploit script
	for i,v in pairs(game.Players:GetPlayers()) do
		local suc,s = pcall(function()
			if Checker:InvokeClient(v) ~= "True" then --if it return not "True" the player will kicked
				v:Kick("\nDon't Exploiting!")
			end
		end)
		if not suc then --if during calling :InvokeClient() it will got error
			v:Kick("\nDon't Exploiting!")
		end
	end
end

• The two scripts above are just an example and are designed only for suspicious actions in the Character player using the DescendantAdded function, but you can try it

If the exploit tries to change the script, delete or disable the script, the server will immediately kick it:

I hope this will help some people with the exploit in their games.
My coding experience is a year and a half and I can probably make a mistake somewhere, if you find an error in the post, correct me.

I think the exploiter will only delete the LocalScript you made before using speed hack, wasn’t better you check in a serverscript the speed? Is possible to check if the player is very fast without see the walkspeed or any information.

I think is used the Magnitude to see that, but I’m not sure.

Also, an exploiter could also just hookfunction the DescendantAdded function to wait forever so it stops working.

Just delete the localscript and the anti exploit is deleted? What a nice tutorial.

Edit : the kicking the player when the localscript is deleted is really helpful ig, thanks I never knew that

This works in theory, but not in practice, because you’re still trusting the client to tell you when its LocalScript is still there. That means an exploiter can just make the Checker function always return true.

Or even never return! Indeed, you’re checking the return value but you’re not checking if it ever actually returns. What happens when it never returns? Well, your code stops. Forever.

Client-side anticheats are not smart. This is not smart, and it doesn’t work. Instead of trying to prevent someone from setting their WalkSpeed, which can’t be done, you should detect when someone is moving too fast for their WalkSpeed, and kick them then.

That can be done on the server which can’t be tampered with by clients.

if exploiter remove or disabled script, the script on server side will kicked out a exploiter even if he deletes all the code in the local script. Can you check the code in studio and then commenting?

The post says that if I change the walking speed on the client side, the server script will not saw this.

An exploiter can just delete the actual anti-cheat parts of the script

Read the post

Exploiters have full access to anything accessible by them, an experienced exploiter may at first get trapped by this but eventually not because they will find workarounds, I should note that external executors have a auto-run function, your anti-exploit can even be removed before the script runs, even if you add a ping system, exploiters can still avoid this by just simply making the ping themselves.

Found a way to exploit this.

Exploiters can execute this.

local Checker = game.ReplicatedStorage.CheckScript
Checker.OnClientInvoke = function()
	return "True"
end

And then safely delete the localscript, all what it took is 2 copypastes.

Explaination: They cant really edit the scripts but they can do this

It would be cool if it was so that from the local script it was possible to return the function that is contained in the local script and the server script would check it, and if he saw changes in the function, then he would kick to the player

He’s right imo. He could just keep the invoke client function as this serverscript does not detect if the script is changed anyway.

nah whats cooler that Roblox should add a way to view client scripts in serverscripts so it would be noice and no longer worry about exploiters

Even if that’s possible, the client could rename the arg to the normal/safe function but never execute it.

Just do sanity checks for remotes and fly detection and speed stuff on server, magnitude is a great start but what if he bomb jumped, he would falsely get kicked, so we just need a very good anti cheat on the server.

I didnt said check the walkspeed, a server script can check the speed changed by client side using magnitude commands.

This is one the things many new multiplayer game developers make mistake on, I made it myself but I learned few things that made me realize my mistake. The mistake is that you are believing that you can force client or have truthful answer from the client via server.

What are you are essentially doing is you are making airport security ask people entering plane whether they have forbidden items with them and you are trusting their answers instead of verifying it yourself as the security guard.

No matter what trick you will pull off, it can be rendered useless, such as:

• Checking if the source code of client script has changed.
• Checking if client script has been deleted.
• Checking if there is certain GUI in the PlayerGui.
• Deleting the client script right after it runs.

And to be clear, every kind of check is essentially a question to computer, and since the player has access to their computer, they can temper with the answer and therefore no matter what kind of check you make which includes something that client only would know might be answered with a lie.

Therefore client sided anti-exploits are bit pointless but not entirely, however, you should never believe client. What you should mainly focus at are proper sanity checks on server and if your game involves players fighting where exploiting the character would give the exploiter an advantage, I would suggest implementing server-sided anti-exploits combined with client-sided ones (for unexperienced exploiters) where something is impossible to check on server.

I want to point out you need something better than this because what if the player is falling off a tall building or using methods like bomb jump which pushes you very far? We need something better than that

I thought he wouldn’t kick the fraudster out when he erased the local script. … but somehow he’d just let me know he did it. And so he’d fall into a trap. Because he’d think how easy he’d done it, and that he got away with it. And so when he does it more than once (to make it 100% certain), then science just gives him a straight ban.

Sorry if I have errors in the text. This makes the translator.

They can sort of edit them. Exploiters can hook functions, meaning they can replace a game’s default function with a new function the exploiter created, as seen here.